iOS Device Settings
05/12/2025 Friday
iOS Device Settings are used to record key configuration values that control how an iPhone or iPad is backed
up, located, and time-stamped. In this artifact, information is stored about the most recent iCloud and
iTunes/Finder backups (including their dates and associated time zones), the current status of cloud backup,
and whether the Find My iPhone service is enabled, as well as the date on which it was turned on. The global
state of Location Services and the device’s configured time zone are also recorded, so that the overall
backup, tracking, and time-keeping behavior of the device can be understood from a single view.
Digital Forensics Value of iOS Device Settings
The digital forensics value of these iOS Device Settings is derived from the way backup, location, and time
configuration information is recorded on the device. The last iCloud and iTunes backup dates, their time
zones, and the cloud backup status can be used to determine when data was most recently preserved, whether a
backup window existed around an incident, and whether off-device copies of evidence are likely to exist. The
Find My iPhone state and its enable date, together with the global Location Services setting and device time
zone, can be used to assess how easily the device could be located or remotely erased, how reliably other
location and timestamped artifacts should be interpreted, and whether changes to these settings may have
been made in proximity to relevant events.
Location of iOS Device Settings Artifacts
According to current iOS implementations, the values shown in this artifact are parsed from several
preference files stored under:
/private/var/mobile/Library/Preferences/
Information about the last iCloud and iTunes backups, their associated time zones, and the cloud backup status is stored in the binary plist file com.apple.mobile.ldbackup.plist.
The global state of Location Services is stored in com.apple.locationd.plist, while the device time zone is recorded as part of the global locale configuration in .GlobalPreferences.plist.
Analyzing iOS Device Settings Artifact with ArtiFast
This section will discuss how to use ArtiFast to extractiOS Device Settings artifacts from iOS devices’
files and what kind of digital forensics insights we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection phase,
you can select iOS Device Settings artifact parser:
×
Once ArtiFast parsers plugins complete processing the artifact for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of iOS Device Settings artifacts in ArtiFast.
iOS Device Settings:
- Last iTunes Backup Date: The date and time when the most recent backup via iTunes or Finder was completed are stored here.
- Last iTunes Backup TZ: The time zone that was in effect when the last iTunes/Finder backup occurred is recorded as a time zone string or abbreviation.
- Cloud Backup Status: The current state of iCloud backup for the device is shown here (for example, whether automatic cloud backups are enabled or disabled).
- Find My iPhone: The current status of the Find My iPhone feature is recorded in this field, indicating whether the service is active on the device.
- Find My iPhone Enabled Date: The date and time when Find My iPhone was last enabled are stored here, providing a reference point for activation of the service.
- Last Cloud Backup TZ: The time zone associated with the last completed iCloud backup is recorded here so that the cloud backup time can be interpreted correctly.
- Location Service: The global state of Location Services on the device is stored in this field, indicating whether system-wide location access has been turned on or off.
- Time Zone: The device’s configured time zone (for example, Europe/Istanbul or America/New_York) is recorded here and can be used when interpreting other timestamps from the device.
For more information or suggestions please contact: Ali.torabkhani@forensafe.com
